Das Paper “Secure Scrum: Development of Secure Software with Scrum” der MuSe Autoren Christoph Pohl und Hans-Joachim Hof wurde für “The Ninth International Conference on Emerging Security Information, Systems and Technologies – SECURWARE 2015” in Venedig, Italien angenommen.
Abstract des Papers:
Nowadays, the use of agile software development methods like Scrum is common in industry and academia. Considering the current attacking landscape, it is clear that developing secure software should be a main concern in all software development projects. In traditional software projects, security issues require detailed planning in an initial planning phase, typically resulting in a detailed security analysis (e.g. threat and risk analysis), a security architecture and instructions for security implementation (e.g. specification of key sizes and cryptographic algorithms to use). Agile software development methods like Scrum are known for reducing the initial planning phases (e.g. sprint 0 in Scrum) and focusing more on producing running code. Scrum is also known for allowing fast adaption of the emerging software to changes of customer wishes. For security, this means that it is likely that there is no detailed security architecture and no security implementation instructions from the start of the project. It also means that a lot of design decisions will be made during the runtime of the project. Hence, to address security in Scrum, it is necessary to consider security issues throughout the whole software development process.
Secure Scrum is a variation of the Scrum framework with special focus on the development of secure software. It puts emphasis on how to implement security related issues without the need of changing the underlying Scrum process or influencing team dynamics. Secure Scrum allows even non-security experts to spot security issues, to implement security features, and to verify implementations. A field test of Secure Scrum shows that the security level of software developed using Secure Scrum is higher then the security level of software developed pure Scrum.